Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-22 Thread Michael S. Tsirkin 
On Fri, Nov 17, 2017 at 04:44:37AM +0800, Changpeng Liu wrote:
> Add VHOST_USER_GET_CONFIG/VHOST_USER_SET_CONFIG messages which can be
> used for live migration of vhost user devices, also vhost user devices
> can benefit from the messages to get/set virtio config space from/to the
> I/O target. For the purpose to support virtio config space change,
> VHOST_USER_SET_CONFIG_FD message is added as the event notifier
> in case virtio config space change in the I/O target.
> 
> Signed-off-by: Changpeng Liu 
> ---
>  docs/interop/vhost-user.txt   | 39 
>  hw/virtio/vhost-user.c| 98 
> +++
>  hw/virtio/vhost.c | 63 +
>  include/hw/virtio/vhost-backend.h |  8 
>  include/hw/virtio/vhost.h | 16 +++
>  5 files changed, 224 insertions(+)
> 
> diff --git a/docs/interop/vhost-user.txt b/docs/interop/vhost-user.txt
> index 954771d..1b98388 100644
> --- a/docs/interop/vhost-user.txt
> +++ b/docs/interop/vhost-user.txt
> @@ -116,6 +116,16 @@ Depending on the request type, payload can be:
>  - 3: IOTLB invalidate
>  - 4: IOTLB access fail
>  
> + * Virtio device config space
> +   ---
> +   | offset | size | payload |
> +   ---
> +
> +   Offset: a 32-bit offset of virtio device's configuration space
> +   Size: a 32-bit size of configuration space that master wanted to change

I guess only legal values here are 1-256? But also see below. Also, we
already know the structure size.

> +   Payload: a 256-bytes array holding the contents of the virtio
> +   device's configuration space
> +

Why not *size* bytes? These are not performance critical but still,
why waste cycles.

>  In QEMU the vhost-user message is implemented with the following struct:
>  
>  typedef struct VhostUserMsg {

Virtio spec says:
For device configuration access, the driver MUST use 8-bit wide 
accesses for 8-bit wide fields, 16-bit wide
and aligned accesses for 16-bit wide fields and 32-bit wide and aligned 
accesses for 32-bit and 64-bit wide
fields. For 64-bit fields, the driver MAY access each of the high and 
low 32-bit parts of the field independently.

So if these commands mirror guest accesses, they are always 1,2,4 or 8 bytes,
and aligned.


-- 
MST

Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-22 Thread Paolo Bonzini 
On 21/11/2017 04:12, Michael S. Tsirkin wrote:
>> Fair enough, but I'd add nevertheless a 32-bit flags field to both
>> GET_CONFIG and SET_CONFIG, and document that the slave MUST check that
>> it is zero and otherwise fail.
>
> We generally just use protocol feature bits for extensions.
> But I have no problem with reserved padding if desired
> which seems to be what's described here.

Correct, you would still have a protocol feature bit, but the format
would be less susceptible to struct size changes which can simplify the
implementation a bit.

Paolo

Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-21 Thread Liu, Changpeng 


> -Original Message-
> From: Michael S. Tsirkin [mailto:m...@redhat.com]
> Sent: Tuesday, November 21, 2017 4:45 AM
> To: Stefan Hajnoczi 
> Cc: Liu, Changpeng ; qemu-devel@nongnu.org;
> pbonz...@redhat.com; marcandre.lur...@redhat.com; fel...@nutanix.com;
> Harris, James R 
> Subject: Re: [PATCH v5 1/4] vhost-user: add new vhost user messages to support
> virtio config space
> 
> On Mon, Nov 20, 2017 at 04:26:31PM +, Stefan Hajnoczi wrote:
> > On Fri, Nov 17, 2017 at 04:44:37AM +0800, Changpeng Liu wrote:
> > > Add VHOST_USER_GET_CONFIG/VHOST_USER_SET_CONFIG messages which
> can be
> > > used for live migration of vhost user devices, also vhost user devices
> > > can benefit from the messages to get/set virtio config space from/to the
> > > I/O target. For the purpose to support virtio config space change,
> > > VHOST_USER_SET_CONFIG_FD message is added as the event notifier
> > > in case virtio config space change in the I/O target.
> > >
> > > Signed-off-by: Changpeng Liu 
> > > ---
> > >  docs/interop/vhost-user.txt   | 39 
> > >  hw/virtio/vhost-user.c| 98
> +++
> > >  hw/virtio/vhost.c | 63 +
> > >  include/hw/virtio/vhost-backend.h |  8 
> > >  include/hw/virtio/vhost.h | 16 +++
> > >  5 files changed, 224 insertions(+)
> > >
> > > diff --git a/docs/interop/vhost-user.txt b/docs/interop/vhost-user.txt
> > > index 954771d..1b98388 100644
> > > --- a/docs/interop/vhost-user.txt
> > > +++ b/docs/interop/vhost-user.txt
> > > @@ -116,6 +116,16 @@ Depending on the request type, payload can be:
> > >  - 3: IOTLB invalidate
> > >  - 4: IOTLB access fail
> > >
> > > + * Virtio device config space
> > > +   ---
> > > +   | offset | size | payload |
> > > +   ---
> > > +
> > > +   Offset: a 32-bit offset of virtio device's configuration space
> >
> > s/of/in the/
> >
> > > +   Size: a 32-bit size of configuration space that master wanted to 
> > > change
> >
> > Is this also used for GET_CONFIG?  If yes, I suggest "a 32-bit
> > configuration space access size in bytes".
> >
> > Please mention that Size must be <= 256 bytes.
> >
> > > +   Payload: a 256-bytes array holding the contents of the virtio
> > > +   device's configuration space
> >
> > What about bytes outside the [offset, offset+size) range?  I guess they
> > must be 0 and are ignored by the master/slave.
> >
> > Would it be cleaner to make Payload a variable-sized field with Size
> > bytes?  That way it's not necessary to transfer 0s and memcpy() a subset
> > of the payload array.
> >
> > > +
> > >  In QEMU the vhost-user message is implemented with the following struct:
> > >
> > >  typedef struct VhostUserMsg {
> > > @@ -129,6 +139,7 @@ typedef struct VhostUserMsg {
> > >  VhostUserMemory memory;
> > >  VhostUserLog log;
> > >  struct vhost_iotlb_msg iotlb;
> > > +VhostUserConfig config;
> > >  };
> > >  } QEMU_PACKED VhostUserMsg;
> > >
> > > @@ -596,6 +607,34 @@ Master message types
> > >and expect this message once (per VQ) during device configuration
> > >(ie. before the master starts the VQ).
> > >
> > > + * VHOST_USER_GET_CONFIG
> > > +  Id: 24
> > > +  Equivalent ioctl: N/A
> > > +  Master payload: virtio device config space
> > > +
> > > +  Submitted by the vhost-user master to fetch the contents of the 
> > > virtio
> > > +  device configuration space. The vhost-user master may cache the 
> > > contents
> > > +  to avoid repeated VHOST_USER_GET_CONFIG calls.
> > > +
> > > +* VHOST_USER_SET_CONFIG
> > > +  Id: 25
> > > +  Equivalent ioctl: N/A
> > > +  Master payload: virtio device config space
> > > +
> > > +  Submitted by the vhost-user master when the Guest changes the 
> > > virtio
> > > +  device configuration space and also can be used for live migration
> > > +  on the destination host.
> >
> > There might be security issues if the vhost slave cannot tell whether
> > SET_CONFIG is coming from the guest driver or from the master process
> > (live migration).  Typically certain fields are read-only for the guest
> > driver.  Maybe those fields need to be set by the master after live
> > migration.
> >
> > One way to solve this is adding a flags field to the message.  A special
> > flag can be used for live migration so the slave knows that this
> > SET_CONFIG message is allowed to write to read-only fields.
> >
> > It's also worth documenting that slaves MUST NOT accept SET_CONFIG for
> > read-only configuration space fields unless the live migration bit is
> > set.  Hopefully this will remind implementors to think through the
> > security issues.
> 
> Live migrations is supposed to be migrating guest writeable state too.
> If you mean migrating

Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-21 Thread Liu, Changpeng 


> -Original Message-
> From: Stefan Hajnoczi [mailto:stefa...@gmail.com]
> Sent: Tuesday, November 21, 2017 12:27 AM
> To: Liu, Changpeng 
> Cc: qemu-devel@nongnu.org; pbonz...@redhat.com; m...@redhat.com;
> marcandre.lur...@redhat.com; fel...@nutanix.com; Harris, James R
> 
> Subject: Re: [PATCH v5 1/4] vhost-user: add new vhost user messages to support
> virtio config space
> 
> On Fri, Nov 17, 2017 at 04:44:37AM +0800, Changpeng Liu wrote:
> > Add VHOST_USER_GET_CONFIG/VHOST_USER_SET_CONFIG messages which can
> be
> > used for live migration of vhost user devices, also vhost user devices
> > can benefit from the messages to get/set virtio config space from/to the
> > I/O target. For the purpose to support virtio config space change,
> > VHOST_USER_SET_CONFIG_FD message is added as the event notifier
> > in case virtio config space change in the I/O target.
> >
> > Signed-off-by: Changpeng Liu 
> > ---
> >  docs/interop/vhost-user.txt   | 39 
> >  hw/virtio/vhost-user.c| 98 
> > +++
> >  hw/virtio/vhost.c | 63 +
> >  include/hw/virtio/vhost-backend.h |  8 
> >  include/hw/virtio/vhost.h | 16 +++
> >  5 files changed, 224 insertions(+)
> >
> > diff --git a/docs/interop/vhost-user.txt b/docs/interop/vhost-user.txt
> > index 954771d..1b98388 100644
> > --- a/docs/interop/vhost-user.txt
> > +++ b/docs/interop/vhost-user.txt
> > @@ -116,6 +116,16 @@ Depending on the request type, payload can be:
> >  - 3: IOTLB invalidate
> >  - 4: IOTLB access fail
> >
> > + * Virtio device config space
> > +   ---
> > +   | offset | size | payload |
> > +   ---
> > +
> > +   Offset: a 32-bit offset of virtio device's configuration space
> 
> s/of/in the/
> 
> > +   Size: a 32-bit size of configuration space that master wanted to change
> 
> Is this also used for GET_CONFIG?  If yes, I suggest "a 32-bit
> configuration space access size in bytes".
ok.
> 
> Please mention that Size must be <= 256 bytes.
> 
> > +   Payload: a 256-bytes array holding the contents of the virtio
> > +   device's configuration space
> 
> What about bytes outside the [offset, offset+size) range?  I guess they
> must be 0 and are ignored by the master/slave.
> 
> Would it be cleaner to make Payload a variable-sized field with Size
> bytes?  That way it's not necessary to transfer 0s and memcpy() a subset
> of the payload array.
sounds good, but for vhost-blk driver it can call get_config for the whole 
virtio_blk_config space.
> 
> > +
> >  In QEMU the vhost-user message is implemented with the following struct:
> >
> >  typedef struct VhostUserMsg {
> > @@ -129,6 +139,7 @@ typedef struct VhostUserMsg {
> >  VhostUserMemory memory;
> >  VhostUserLog log;
> >  struct vhost_iotlb_msg iotlb;
> > +VhostUserConfig config;
> >  };
> >  } QEMU_PACKED VhostUserMsg;
> >
> > @@ -596,6 +607,34 @@ Master message types
> >and expect this message once (per VQ) during device configuration
> >(ie. before the master starts the VQ).
> >
> > + * VHOST_USER_GET_CONFIG
> > +  Id: 24
> > +  Equivalent ioctl: N/A
> > +  Master payload: virtio device config space
> > +
> > +  Submitted by the vhost-user master to fetch the contents of the 
> > virtio
> > +  device configuration space. The vhost-user master may cache the 
> > contents
> > +  to avoid repeated VHOST_USER_GET_CONFIG calls.
> > +
> > +* VHOST_USER_SET_CONFIG
> > +  Id: 25
> > +  Equivalent ioctl: N/A
> > +  Master payload: virtio device config space
> > +
> > +  Submitted by the vhost-user master when the Guest changes the virtio
> > +  device configuration space and also can be used for live migration
> > +  on the destination host.
> 
> There might be security issues if the vhost slave cannot tell whether
> SET_CONFIG is coming from the guest driver or from the master process
> (live migration).  Typically certain fields are read-only for the guest
> driver.  Maybe those fields need to be set by the master after live
> migration.
> 
> One way to solve this is adding a flags field to the message.  A special
> flag can be used for live migration so the slave knows that this
> SET_CONFIG message is allowed to write to read-only fields.
> 
Ok.
> It's also worth documenting that slaves MUST NOT accept SET_CONFIG for
> read-only configuration space fields unless the live migration bit is
> set.  Hopefully this will remind implementors to think through the
> security issues.

Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-21 Thread Liu, Changpeng 


> -Original Message-
> From: Paolo Bonzini [mailto:pbonz...@redhat.com]
> Sent: Tuesday, November 21, 2017 8:16 AM
> To: Michael S. Tsirkin ; Stefan Hajnoczi 
> Cc: Liu, Changpeng ; qemu-devel@nongnu.org;
> marcandre.lur...@redhat.com; fel...@nutanix.com; Harris, James R
> 
> Subject: Re: [PATCH v5 1/4] vhost-user: add new vhost user messages to support
> virtio config space
> 
> On 20/11/2017 21:44, Michael S. Tsirkin wrote:
> > Live migrations is supposed to be migrating guest writeable state too.
> > If you mean migrating RO fields like size, then
> > I don't think it's a good idea to reuse SET_CONFIG for that.
> > SET_CONFIG should obey exactly the virtio semantics.
> >
> > And I agree, it should say that slave must treat it as a write,
> > and get config as a read according to virtio semantics.
> >
> > If someone needs to pass configuration from qemu to
> > slave, let's add specific messages with precisely defined semantics.
> 
> Fair enough, but I'd add nevertheless a 32-bit flags field to both
> GET_CONFIG and SET_CONFIG, and document that the slave MUST check that
> it is zero and otherwise fail.
Ok.
> 
> Paolo

Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-20 Thread Michael S. Tsirkin 
On Tue, Nov 21, 2017 at 01:16:12AM +0100, Paolo Bonzini wrote:
> On 20/11/2017 21:44, Michael S. Tsirkin wrote:
> > Live migrations is supposed to be migrating guest writeable state too.
> > If you mean migrating RO fields like size, then
> > I don't think it's a good idea to reuse SET_CONFIG for that.
> > SET_CONFIG should obey exactly the virtio semantics.
> > 
> > And I agree, it should say that slave must treat it as a write,
> > and get config as a read according to virtio semantics.
> > 
> > If someone needs to pass configuration from qemu to
> > slave, let's add specific messages with precisely defined semantics.
> 
> Fair enough, but I'd add nevertheless a 32-bit flags field to both
> GET_CONFIG and SET_CONFIG, and document that the slave MUST check that
> it is zero and otherwise fail.
> 
> Paolo

We generally just use protocol feature bits for extensions.
But I have no problem with reserved padding if desired
which seems to be what's described here.

-- 
MST

Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-20 Thread Paolo Bonzini 
On 20/11/2017 21:44, Michael S. Tsirkin wrote:
> Live migrations is supposed to be migrating guest writeable state too.
> If you mean migrating RO fields like size, then
> I don't think it's a good idea to reuse SET_CONFIG for that.
> SET_CONFIG should obey exactly the virtio semantics.
> 
> And I agree, it should say that slave must treat it as a write,
> and get config as a read according to virtio semantics.
> 
> If someone needs to pass configuration from qemu to
> slave, let's add specific messages with precisely defined semantics.

Fair enough, but I'd add nevertheless a 32-bit flags field to both
GET_CONFIG and SET_CONFIG, and document that the slave MUST check that
it is zero and otherwise fail.

Paolo

Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-20 Thread Michael S. Tsirkin 
On Mon, Nov 20, 2017 at 04:26:31PM +, Stefan Hajnoczi wrote:
> On Fri, Nov 17, 2017 at 04:44:37AM +0800, Changpeng Liu wrote:
> > Add VHOST_USER_GET_CONFIG/VHOST_USER_SET_CONFIG messages which can be
> > used for live migration of vhost user devices, also vhost user devices
> > can benefit from the messages to get/set virtio config space from/to the
> > I/O target. For the purpose to support virtio config space change,
> > VHOST_USER_SET_CONFIG_FD message is added as the event notifier
> > in case virtio config space change in the I/O target.
> > 
> > Signed-off-by: Changpeng Liu 
> > ---
> >  docs/interop/vhost-user.txt   | 39 
> >  hw/virtio/vhost-user.c| 98 
> > +++
> >  hw/virtio/vhost.c | 63 +
> >  include/hw/virtio/vhost-backend.h |  8 
> >  include/hw/virtio/vhost.h | 16 +++
> >  5 files changed, 224 insertions(+)
> > 
> > diff --git a/docs/interop/vhost-user.txt b/docs/interop/vhost-user.txt
> > index 954771d..1b98388 100644
> > --- a/docs/interop/vhost-user.txt
> > +++ b/docs/interop/vhost-user.txt
> > @@ -116,6 +116,16 @@ Depending on the request type, payload can be:
> >  - 3: IOTLB invalidate
> >  - 4: IOTLB access fail
> >  
> > + * Virtio device config space
> > +   ---
> > +   | offset | size | payload |
> > +   ---
> > +
> > +   Offset: a 32-bit offset of virtio device's configuration space
> 
> s/of/in the/
> 
> > +   Size: a 32-bit size of configuration space that master wanted to change
> 
> Is this also used for GET_CONFIG?  If yes, I suggest "a 32-bit
> configuration space access size in bytes".
> 
> Please mention that Size must be <= 256 bytes.
> 
> > +   Payload: a 256-bytes array holding the contents of the virtio
> > +   device's configuration space
> 
> What about bytes outside the [offset, offset+size) range?  I guess they
> must be 0 and are ignored by the master/slave.
> 
> Would it be cleaner to make Payload a variable-sized field with Size
> bytes?  That way it's not necessary to transfer 0s and memcpy() a subset
> of the payload array.
> 
> > +
> >  In QEMU the vhost-user message is implemented with the following struct:
> >  
> >  typedef struct VhostUserMsg {
> > @@ -129,6 +139,7 @@ typedef struct VhostUserMsg {
> >  VhostUserMemory memory;
> >  VhostUserLog log;
> >  struct vhost_iotlb_msg iotlb;
> > +VhostUserConfig config;
> >  };
> >  } QEMU_PACKED VhostUserMsg;
> >  
> > @@ -596,6 +607,34 @@ Master message types
> >and expect this message once (per VQ) during device configuration
> >(ie. before the master starts the VQ).
> >  
> > + * VHOST_USER_GET_CONFIG
> > +  Id: 24
> > +  Equivalent ioctl: N/A
> > +  Master payload: virtio device config space
> > +
> > +  Submitted by the vhost-user master to fetch the contents of the 
> > virtio
> > +  device configuration space. The vhost-user master may cache the 
> > contents
> > +  to avoid repeated VHOST_USER_GET_CONFIG calls.
> > +
> > +* VHOST_USER_SET_CONFIG
> > +  Id: 25
> > +  Equivalent ioctl: N/A
> > +  Master payload: virtio device config space
> > +
> > +  Submitted by the vhost-user master when the Guest changes the virtio
> > +  device configuration space and also can be used for live migration
> > +  on the destination host.
> 
> There might be security issues if the vhost slave cannot tell whether
> SET_CONFIG is coming from the guest driver or from the master process
> (live migration).  Typically certain fields are read-only for the guest
> driver.  Maybe those fields need to be set by the master after live
> migration.
> 
> One way to solve this is adding a flags field to the message.  A special
> flag can be used for live migration so the slave knows that this
> SET_CONFIG message is allowed to write to read-only fields.
> 
> It's also worth documenting that slaves MUST NOT accept SET_CONFIG for
> read-only configuration space fields unless the live migration bit is
> set.  Hopefully this will remind implementors to think through the
> security issues.

Live migrations is supposed to be migrating guest writeable state too.
If you mean migrating RO fields like size, then
I don't think it's a good idea to reuse SET_CONFIG for that.
SET_CONFIG should obey exactly the virtio semantics.

And I agree, it should say that slave must treat it as a write,
and get config as a read according to virtio semantics.

If someone needs to pass configuration from qemu to
slave, let's add specific messages with precisely defined semantics.

Which reminds me.

virtio 1 changed endian-ness for config.

I think we should specify it's all virtio 1 format, and
just disallow vhost blk for virtio 0 guests.

-- 
MST

Re: [Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-20 Thread Stefan Hajnoczi 
On Fri, Nov 17, 2017 at 04:44:37AM +0800, Changpeng Liu wrote:
> Add VHOST_USER_GET_CONFIG/VHOST_USER_SET_CONFIG messages which can be
> used for live migration of vhost user devices, also vhost user devices
> can benefit from the messages to get/set virtio config space from/to the
> I/O target. For the purpose to support virtio config space change,
> VHOST_USER_SET_CONFIG_FD message is added as the event notifier
> in case virtio config space change in the I/O target.
> 
> Signed-off-by: Changpeng Liu 
> ---
>  docs/interop/vhost-user.txt   | 39 
>  hw/virtio/vhost-user.c| 98 
> +++
>  hw/virtio/vhost.c | 63 +
>  include/hw/virtio/vhost-backend.h |  8 
>  include/hw/virtio/vhost.h | 16 +++
>  5 files changed, 224 insertions(+)
> 
> diff --git a/docs/interop/vhost-user.txt b/docs/interop/vhost-user.txt
> index 954771d..1b98388 100644
> --- a/docs/interop/vhost-user.txt
> +++ b/docs/interop/vhost-user.txt
> @@ -116,6 +116,16 @@ Depending on the request type, payload can be:
>  - 3: IOTLB invalidate
>  - 4: IOTLB access fail
>  
> + * Virtio device config space
> +   ---
> +   | offset | size | payload |
> +   ---
> +
> +   Offset: a 32-bit offset of virtio device's configuration space

s/of/in the/

> +   Size: a 32-bit size of configuration space that master wanted to change

Is this also used for GET_CONFIG?  If yes, I suggest "a 32-bit
configuration space access size in bytes".

Please mention that Size must be <= 256 bytes.

> +   Payload: a 256-bytes array holding the contents of the virtio
> +   device's configuration space

What about bytes outside the [offset, offset+size) range?  I guess they
must be 0 and are ignored by the master/slave.

Would it be cleaner to make Payload a variable-sized field with Size
bytes?  That way it's not necessary to transfer 0s and memcpy() a subset
of the payload array.

> +
>  In QEMU the vhost-user message is implemented with the following struct:
>  
>  typedef struct VhostUserMsg {
> @@ -129,6 +139,7 @@ typedef struct VhostUserMsg {
>  VhostUserMemory memory;
>  VhostUserLog log;
>  struct vhost_iotlb_msg iotlb;
> +VhostUserConfig config;
>  };
>  } QEMU_PACKED VhostUserMsg;
>  
> @@ -596,6 +607,34 @@ Master message types
>and expect this message once (per VQ) during device configuration
>(ie. before the master starts the VQ).
>  
> + * VHOST_USER_GET_CONFIG
> +  Id: 24
> +  Equivalent ioctl: N/A
> +  Master payload: virtio device config space
> +
> +  Submitted by the vhost-user master to fetch the contents of the virtio
> +  device configuration space. The vhost-user master may cache the 
> contents
> +  to avoid repeated VHOST_USER_GET_CONFIG calls.
> +
> +* VHOST_USER_SET_CONFIG
> +  Id: 25
> +  Equivalent ioctl: N/A
> +  Master payload: virtio device config space
> +
> +  Submitted by the vhost-user master when the Guest changes the virtio
> +  device configuration space and also can be used for live migration
> +  on the destination host.

There might be security issues if the vhost slave cannot tell whether
SET_CONFIG is coming from the guest driver or from the master process
(live migration).  Typically certain fields are read-only for the guest
driver.  Maybe those fields need to be set by the master after live
migration.

One way to solve this is adding a flags field to the message.  A special
flag can be used for live migration so the slave knows that this
SET_CONFIG message is allowed to write to read-only fields.

It's also worth documenting that slaves MUST NOT accept SET_CONFIG for
read-only configuration space fields unless the live migration bit is
set.  Hopefully this will remind implementors to think through the
security issues.


signature.asc
Description: PGP signature

[Qemu-devel] [PATCH v5 1/4] vhost-user: add new vhost user messages to support virtio config space

2017-11-16 Thread Changpeng Liu 
Add VHOST_USER_GET_CONFIG/VHOST_USER_SET_CONFIG messages which can be
used for live migration of vhost user devices, also vhost user devices
can benefit from the messages to get/set virtio config space from/to the
I/O target. For the purpose to support virtio config space change,
VHOST_USER_SET_CONFIG_FD message is added as the event notifier
in case virtio config space change in the I/O target.

Signed-off-by: Changpeng Liu 
---
 docs/interop/vhost-user.txt   | 39 
 hw/virtio/vhost-user.c| 98 +++
 hw/virtio/vhost.c | 63 +
 include/hw/virtio/vhost-backend.h |  8 
 include/hw/virtio/vhost.h | 16 +++
 5 files changed, 224 insertions(+)

diff --git a/docs/interop/vhost-user.txt b/docs/interop/vhost-user.txt
index 954771d..1b98388 100644
--- a/docs/interop/vhost-user.txt
+++ b/docs/interop/vhost-user.txt
@@ -116,6 +116,16 @@ Depending on the request type, payload can be:
 - 3: IOTLB invalidate
 - 4: IOTLB access fail
 
+ * Virtio device config space
+   ---
+   | offset | size | payload |
+   ---
+
+   Offset: a 32-bit offset of virtio device's configuration space
+   Size: a 32-bit size of configuration space that master wanted to change
+   Payload: a 256-bytes array holding the contents of the virtio
+   device's configuration space
+
 In QEMU the vhost-user message is implemented with the following struct:
 
 typedef struct VhostUserMsg {
@@ -129,6 +139,7 @@ typedef struct VhostUserMsg {
 VhostUserMemory memory;
 VhostUserLog log;
 struct vhost_iotlb_msg iotlb;
+VhostUserConfig config;
 };
 } QEMU_PACKED VhostUserMsg;
 
@@ -596,6 +607,34 @@ Master message types
   and expect this message once (per VQ) during device configuration
   (ie. before the master starts the VQ).
 
+ * VHOST_USER_GET_CONFIG
+  Id: 24
+  Equivalent ioctl: N/A
+  Master payload: virtio device config space
+
+  Submitted by the vhost-user master to fetch the contents of the virtio
+  device configuration space. The vhost-user master may cache the contents
+  to avoid repeated VHOST_USER_GET_CONFIG calls.
+
+* VHOST_USER_SET_CONFIG
+  Id: 25
+  Equivalent ioctl: N/A
+  Master payload: virtio device config space
+
+  Submitted by the vhost-user master when the Guest changes the virtio
+  device configuration space and also can be used for live migration
+  on the destination host.
+
+* VHOST_USER_SET_CONFIG_FD
+  Id: 26
+  Equivalent ioctl: N/A
+  Master payload: N/A
+
+  Sets the notifier file descriptor, which is passed as ancillary data.
+  The vhost-user slave uses the file descriptor to notify the vhost-user
+  master of changes to the virtio configuration space. The vhost-user
+  master can read the virtio configuration space to get the latest update.
+
 Slave message types
 ---
 
diff --git a/hw/virtio/vhost-user.c b/hw/virtio/vhost-user.c
index 093675e..ef1687b 100644
--- a/hw/virtio/vhost-user.c
+++ b/hw/virtio/vhost-user.c
@@ -26,6 +26,11 @@
 #define VHOST_MEMORY_MAX_NREGIONS8
 #define VHOST_USER_F_PROTOCOL_FEATURES 30
 
+/*
+ * Maximum size of virtio device config space
+ */
+#define VHOST_USER_MAX_CONFIG_SIZE 256
+
 enum VhostUserProtocolFeature {
 VHOST_USER_PROTOCOL_F_MQ = 0,
 VHOST_USER_PROTOCOL_F_LOG_SHMFD = 1,
@@ -65,6 +70,9 @@ typedef enum VhostUserRequest {
 VHOST_USER_SET_SLAVE_REQ_FD = 21,
 VHOST_USER_IOTLB_MSG = 22,
 VHOST_USER_SET_VRING_ENDIAN = 23,
+VHOST_USER_GET_CONFIG = 24,
+VHOST_USER_SET_CONFIG = 25,
+VHOST_USER_SET_CONFIG_FD = 26,
 VHOST_USER_MAX
 } VhostUserRequest;
 
@@ -92,6 +100,12 @@ typedef struct VhostUserLog {
 uint64_t mmap_offset;
 } VhostUserLog;
 
+typedef struct VhostUserConfig {
+uint32_t offset;
+uint32_t size;
+uint8_t region[VHOST_USER_MAX_CONFIG_SIZE];
+} VhostUserConfig;
+
 typedef struct VhostUserMsg {
 VhostUserRequest request;
 
@@ -109,6 +123,7 @@ typedef struct VhostUserMsg {
 VhostUserMemory memory;
 VhostUserLog log;
 struct vhost_iotlb_msg iotlb;
+VhostUserConfig config;
 } payload;
 } QEMU_PACKED VhostUserMsg;
 
@@ -922,6 +937,86 @@ static void vhost_user_set_iotlb_callback(struct vhost_dev 
*dev, int enabled)
 /* No-op as the receive channel is not dedicated to IOTLB messages. */
 }
 
+static int vhost_user_get_config(struct vhost_dev *dev, uint8_t *config,
+ size_t config_len)
+{
+VhostUserMsg msg = {
+.request = VHOST_USER_GET_CONFIG,
+.flags = VHOST_USER_VERSION,
+.size = sizeof(msg.payload.config),
+};
+
+if (vhost_user_write(dev, , NULL, 0) < 0) {
+return -1;
+}
+
+if (vhost_user_read(dev, ) < 0) {
+return -1;
+}
+
+if (msg.request !=